Hands-on: hacking WiFi Protected Setup with Reaver

We try out an attack tool developed by researchers who wanted to demonstrate …

The MAC address and WiFi Protected Setup PIN for the router attacked in our Reaver test.

Photograph by Sean Gallagher

WiFi hacking has long been a favorite pastime of hackers, penetration testers, and people too cheap to pay for their own Internet connection. And there are plenty of targets out there for would-be hackers and war drivers to go after—just launch a WiFi scanner app in any residential neighborhood or office complex, and you're bound to find an access point that's either wide open or protected by weak encryption. Fortunately (or unfortunately, if you're the one looking for free WiFi), those more blatant security holes are going away through attrition as people upgrade to newer routers or network administrators hunt down vulnerabilities and stomp them out. But as one door closes, another opens.

Last week, security researchers revealed a vulnerability in WiFi Protected Setup, an optional device configuration protocol for wireless access points. WPS lets users enter a personal identification number that is hard-coded into the access point in order to quickly connect a computer or other wireless device to the network. The structure of the WPS PIN number and a flaw in the protocol's response to invalid requests make attacking WPS relatively simple compared to cracking a WiFi Protected Access (WPA or WPA2) password. On December 28, Craig Heffner of Tactical Network Solutions released an open-source version of an attack tool, named Reaver, that exploits the vulnerability.

To find out just how big the hole was, I downloaded and compiled Reaver for a bit of New Years geek fun. As it turns out, it's a pretty big one—even with WPS allegedly turned off on a target router, I was able to get it to cough up the SSID and password. The only way to block the attack was to turn on Media Access Control (MAC) address filtering to block unwanted hardware.

My target was a Cisco Linksys WRT54G2 Wireless-G Broadband Router, an older but fairly common residential WiFi router. The PIN for the router is printed on the bottom, along with its MAC address; in WPS mode, a computer can use that PIN to retrieve the network configuration information without the user having to worry about remembering a long password or otherwise mess with the router's administrative interface. Normally, to get the PIN, you'd need to have physical access to the router.

For my attack platform, I used an aging Toshiba Satellite A135 running Ubuntu 11.10. In order to compile Reaver, I also had to install libpcap, the network traffic capture library, through Ubuntu's Software Center. With libcap configured, Reaver compiled without a hitch, and it was time to start beating on the door.

The first step in mounting an attack on a WiFi router is to identify the target's MAC address. While I was able to read it right off the router, the address was also easy to grab using a WiFi scanning application. (The scanner also revealed that most of my neighbors' WiFi networks were also potentially vulnerable to Reaver, or that they were still running older routers using only WEP security—and some had no security in place at all.) With the MAC of my target recorded, I prepared to unleash Reaver.

Before launching a brute-force PIN hacking effort with Reaver, the attack platform's wireless adapter needs to be put into "monitor" mode. In Linux, that's done from the command line using ifconfig (an interface configuration tool) and iwconfig (which controls the configuration of wireless interfaces); both need to be run as the root user. After making sure I was disconnected from any other WiFi network, I went into an Ubuntu terminal window and entered:

With the wireless adapter now ready to perform packet capture, I launched Reaver. The open-source version of Reaver is a command-line tool; Tactical Network Solutions also sells a commercial version that includes a Web-based client and software support. While I used version 1.2 of Reaver, a 1.3 version was released on January 3, and it can speed up attacks. It does so by reducing the size of the "secret number" used to create the shared encryption key used to pass requests—this cuts the crypto workload on the access point and reduces the time needed between attempts.

Reaver only requires two inputs to launch an attack: the interface to use to launch them, and the MAC address of the target. Because it accesses the wireless adapter directly, it needs to be run as root:

sudo reaver -i wlan0 -b 00:01:02:03:04:05

I went with this default approach, but there are a number of other parameters that can be used to tweak the attack for different routers, such as setting the tool to pause when the access point stops responding, and adding a response back to the access point to clear out failed attempts (this is not required by most routers). The results:

Sean Gallagher

The attack took about six hours to properly guess the PIN and return the SSID and password for the target network. During that time, the router locked up once under load, as I was putting normal levels of network traffic through it from other devices. Some routers will also lock out WPS requests for five minutes or so when they detect multiple failed PIN submissions—mine stopped responding occasionally, generating a string of warnings, but Reaver picked back up where it left off once the Linksys started responding again.

Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID.

The tool also managed to repeatedly cause the router to stop responding to other computers on the network, essentially creating a denial of service attack—a great thing to remember for the next time my neighbors have a loud, all-night Call of Duty session.

In a phone conversation, Craig Heffner said that the inability to shut this vulnerability down is widespread. He and others have found it to occur with every Linksys and Cisco Valet wireless access point they've tested. "On all of the Linksys routers, you cannot manually disable WPS," he said. While the Web interface has a radio button that allegedly turns off WPS configuration, "it's still on and still vulnerable."

MAC filtering doesn't help either— that's "easily circumvented," he said. All an attacker has to do is use a network monitoring tool to detect the MAC address of a system that has an existing connection to the router, and set that as the address of their attack platform.

Six to eight hours seems like a lot of time to spend trying to hack into someone's residential WiFi. But considering how many small and medium-sized businesses use access points like the Linksys—and the kinds of data that could be exposed by gaining access to the computers on even the average home network—there's plenty of potential damage to be done by those who run the tool, or something similar of their own devising. And the attack could be carried out unattended, using a device left near the target network and controlled remotely.

The bottom line is that, while WPS was designed for simple security, there is no such thing as simple security. The only way to be absolutely sure that someone can't gain access to your wireless network with the WPS hack is to make sure you use a router that doesn't support the protocol.

I'm in the middle of moving our company over from an older Netgear 802.11g WAP to an AirPort Extreme for wireless access (routing duties are handled by a dedicated computer running ClearOS). The APE doesn't support WPS at all, so that's a relief to me. We just moved off a Linksys WAP at home to an APE as well, so at least that closes that security hole. We're still running a second Linksys 802.11g WAP in our basement, but it doesn't support WPS. This really is a major security hole, and I hope Cisco pushes out firmware updates for their access points as soon as possible.

Now that I think about it too, we put a Buffalo WAP/router in my grandmother's house not too long ago. I'll have to take a closer look at that the next time I'm there.

Most interesting article I have read here in quite some time, Kudos to Sean for a great write up! Would love to see if there are alternative programs that do similar functionality in a windows/mac environment. Looks like ill be firing up the linux vm and playing around tonight!

Most interesting article I have read here in quite some time, Kudos to Sean for a great write up! Would love to see if there are alternative programs that do similar functionality in a windows/mac environment. Looks like ill be firing up the linux vm and playing around tonight!

This protocol would not have been broken if the router would just shut up and not give you hints about how close you are from the real pin. It'd still be easy and it'd be secure (enough). At least not exploitable in this way.

Thanks for the article, now I am very worried about my Netgears. DD-WRT will not install on it and the only other one I have is 801.11b. seems I am going back to the stone age till I can get a new router

Does anyone else think this has "Class Action Lawsuit" written all over it? I mean, if you specify in the configuration to *disable* WPS, and it's still vulnerable, that seems like a major screw up by the device manufacturer.

I wonder if they can fix this with firmware updates? I wonder if they'll *bother* to release firmware updates for any models which have been in production longer than 6 months?

Will this give attackers the ability to decrypt the traffic of other members of the network, or just allow them to connect and use your network?

I mean, don't get me wrong - that's still very bad - they might possibly access things like servers, NAS, or printer if you didn't secure them, and just plugged them into the ether port on your router, or attempt to login to your router's admin interface, attempt to launch attacks against other computers on your network from *behind* the firewall. Sounds pretty scary, but would be nice to know that at least your wireless traffic still remains encrypted?

Just remembered that I received a WNR3500L from the government for the Sam Knows study.Far be it from me to decline a free wifi router with gigabit ethernet.But... requirement was that I couldn't replace the stock firmware.

There is a section in the settings that allows me to "Disable Router's PIN."But, from what I've read, not sure that will prevent intrusion.

I guess I will have to try and hack my own device.If it still can be hacked, even when WPS is disabled... then I will have to replace the stock firmware.Government be damned.

Hmmm, can D-Link routers turn off the feature completely? I'm pretty sure there is an option to do it (can't connect to my home one right now, my IP changed. ), but I'd like to know if turning off WPS actually turns off WPS.

Will this give attackers the ability to decrypt the traffic of other members of the network, or just allow them to connect and use your internet connection (and possibly access things like servers, NAS, or printer if you didn't secure them, and just plugged them into the ether port on your router, or attempt to login to your router's admin interface, etc)?

This gives you the SSID, the PIN, and the password. The PIN gives you access no matter what changes about the rest of the configuration. It doesn't give direct access to the administrative interface, but once you're connected, you've got access to any web-based admin interface and can then proceed to attack the login (If you don't get in with "admin" and "password" on the first attempt).

Will this give attackers the ability to decrypt the traffic of other members of the network, or just allow them to connect and use your network?

Unless you still use WEP, no, no one will be able to easily snoop your conversations. But be advised that WPA's TKIP encryption has been broken, so your only chance of reasonable security is a WPA2 AES based setup (PSK or Enterprise).

This seems like a pretty big flaw in the design of WPS (both the always-active PIN method, and the [relative] ease to brute force it).

I would have though a combination of the PIN and push-button techniques would be best: Hit a physical button on your router, read the PIN and then you have 5 minutes (or 10 or 15 or < 6hr!) to run to your device and enter the PIN before the router stops responding. Perhaps even better if the PIN can be read off a small screen and changes each time (perhaps?) ...

As it stands I either have my wifi wide-open for a few mins when I use the push-button method if anyone happens to be scanning at the same time, or someone suitably motivated can break down the PIN at their leisure - neither sound ideal.

Time to see if I can just disable in the router and key in the 'long' key for each new device like ye olde days ...

Will this give attackers the ability to decrypt the traffic of other members of the network, or just allow them to connect and use your network?

Per the screenshot in the article, the hack enables someone to discover the WPA key and, therefore, to associate with the access point. Whether or not the hacker could gain further access to devices on the network would depend on how that network and those devices are configured. For example, if DHCP is running then the hacker's computer will receive an IP address and be able to access any unsecured devices (e.g. web servers, file servers, printers, etc.) in that IP's subnet, or any other routed subnet. If the router itself is unsecured from the LAN side then the hacker would have access to its configuration pages as well. Encrypted traffic from other wireless clients would not be accessible as a result of this hack, but any open ports on those devices would be available for the hacker to attempt to utilize, e.g. Remote Desktop access, FTP, and so on.

Will this give attackers the ability to decrypt the traffic of other members of the network, or just allow them to connect and use your internet connection (and possibly access things like servers, NAS, or printer if you didn't secure them, and just plugged them into the ether port on your router, or attempt to login to your router's admin interface, etc)?

This gives you the SSID, the PIN, and the password. The PIN gives you access no matter what changes about the rest of the configuration. It doesn't give direct access to the administrative interface, but once you're connected, you've got access to any web-based admin interface and can then proceed to attack the login (If you don't get in with "admin" and "password" on the first attempt).

The core of the reason to limit admin login to hardwire (although I don’t know if that’s an option with the test router you were using).

My D-Link has WPS. It can be turned off although I still have to test it and see if it's really off. What I do find nifty is that my WPS pin in not permanent. I can change it (and have). So even if I can't permanently disable it, I can change it daily. It's the DIR-655 if anybody is interested.

#1 & #2 are pretty much a complete waste of time - doing those things would block only the dumbest of script kiddies. Anyone even vaguely competent when it comes to unauthorized intrusion will bypass can stuff in seconds with easily available tools. #3 is fine if you know for sure that your router really does disable WPS when you turn it off in the config. If it doesn't then #4 is irrelevant since the WPS hack reveals the WPA key.

EDIT: Also, #2 is potentially damaging to legitimate use. If you're using a MAC address and someone uses that address* for the computer they're using to hack into your router, your access to that router will likely be disrupted due to conflicts.

* Note: MAC addresses are sent over wi-fi in the clear; it's trivial for a hacker to snag one and apply to their own computer.

My D-Link has WPS. It can be turned off although I still have to test it and see if it's really off. What I do find nifty is that my WPS pin in not permanent. I can change it (and have). So even if I can't permanently disable it, I can change it daily. It's the DIR-655 if anybody is interested.

That's what I have as well. Please let me know if you test and find if whether or not off means off for the DIR-655.

The problem here is really that so many routers either don't offer a way to turn off the PIN or don't actually shut it off when you set it to. It's almost like they never expected security to be cracked...

...or a more cynical person might think they knew it would eventually and they could sell more routers if they then offered newer routers that offered better security for shutting such things off.

I'm in the middle of moving our company over from an older Netgear 802.11g WAP to an AirPort Extreme for wireless access (routing duties are handled by a dedicated computer running ClearOS). The APE doesn't support WPS at all, so that's a relief to me. We just moved off a Linksys WAP at home to an APE as well, so at least that closes that security hole. We're still running a second Linksys 802.11g WAP in our basement, but it doesn't support WPS. This really is a major security hole, and I hope Cisco pushes out firmware updates for their access points as soon as possible.

Now that I think about it too, we put a Buffalo WAP/router in my grandmother's house not too long ago. I'll have to take a closer look at that the next time I'm there.

I'm not entirely sure on this. The Extreme doesn't exactly advertise it (I think it's a hidden setting) but as of a couple of years ago you could still use a WPS PIN to connect a device to it.

Anyway, I needed a new router at home and it seems something I can install DD-WRT on is the way to go for security.

Netgear has at least addressed the fact that it can happen, their only response is "we temporarily stop accepting WPS access, and you can turn it off completely if you want to!" I would like to see a firmware update, but knowing how these companies treat consumer products, that will be unlikely for anything older than the latest new release.

No offense, but this article is a bit like yelling fire in a theater. The reviewer tested ONE router, and an old one at that. This is the sort of thing a more comprehensive test/review is required. Take that old laptop to your friends and family and try out all sorts of different routers.

Someone should be compiling a list of vulnerable routers and publishing it.

No offense, but this article is a bit like yelling fire in a theater. The reviewer tested ONE router, and an old one at that. This is the sort of thing a more comprehensive test/review is required. Take that old laptop to your friends and family and try out all sorts of different routers.

Someone should be compiling a list of vulnerable routers and publishing it.

This has nothing to do with routers, but with the protocol itself. Unless they used a non-standard implementation (which is unlikely since it could break the functionality), every router is vulnerable.

I mean it MUST still be better than running WEP, which way too many people still use.

Ugh, do NOT turn off your SSID broadcast. It's just being a bad neighbor (can caus issues with interference) and anyone doing even vague snooping will find the SSID pretty fast. Also since the fact that you CAN'T turn off WPS is the problem, #3 is also missing the point. #2 is just dumb and even easier to spoof/get around than #1.

I have an old WRT54G, previously running DD-WRT, currently running a current-ish version of Tomato. To my knowledge, neither of these firmwares have anything in their code for WPS at all. Though, I am not sure that newer routers come with WPS, but I wonder if there is a way to disable, or change the PIN or anything like that?

EDIT: I could maybe go to a Starbucks and try this wonderful program? Even down the road, probably. But I'd need to be running Linux and have a battery that lasts more than an hour

No offense, but this article is a bit like yelling fire in a theater. The reviewer tested ONE router, and an old one at that. This is the sort of thing a more comprehensive test/review is required. Take that old laptop to your friends and family and try out all sorts of different routers.

Someone should be compiling a list of vulnerable routers and publishing it.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.